cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


423
Views
0
Helpful
4
Replies
Highlighted
Beginner

why can't access same websites on restricted PC?

Has ASA5510-K8 as firewall, has access rules setup for restricted PCs:

  • Source: IP range of these PCs 192.168.x.0/24
  • Destination: publicPC
  • Service: tcp/http
  • Interface: inside
  • Action: permit

On those PCs, users can only browse the websites that are in favorites, but some of them are working, some are not.

Test on unrestricted PC, websites that can’t be accessed from public PCs can be access on regular PCs , either by address or IP.

Checked GPO setting, don’t see anything wrong there.


Can anyone please tell me what wrong and where should I start troubleshooting? Thx.

Everyone's tags (7)
4 REPLIES 4
Advisor

why can't access same websites on restricted PC?

Hi,

on unrestricted PC do a ping  www.xxxxx to get the IP of the site not working on restricted PC then add an entry in the hosts file for this url and flush the dns cache of the PC and try browsing.If it is working then it is a DNS problem and you'll have to modify your ACL for DNS queries.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

why can't access same websites on restricted PC?

kind of figure out the cause, in ASA, there are whole bunch access rules, for restricted PCs, one of ASA rule put all accessible websites under that rule, but websites there are based on IP addresses but not web address (www.xxxx.xx), for those inaccessible websites, their IP addresses are not valid anymore, so now my question is how do I find the accurate IP address of a website.

The IP I got from unrestricted PC by PING is not accurate/valid either, for example, I can access a website from unrestricted PC, and using ping, got the IP of this website, but just can’t use this IP to browse to the website which mean the IP is inaccurate or invalid (they are all done on unrestricted PC),

Tried on some nslookup websites such as WHOIS, always got “the website you put in is invalid”.

Do I have to contact every website webmaster to get the valid IP? It’s too much work.

All helps are appreciated. thx

Advisor

why can't access same websites on restricted PC?

Hi,

in this case use a proxy.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Beginner

why can't access same websites on restricted PC?

figured out a easier way:

in CMD

nslookup

set type=a

type in www.xxxxxx.xxx

got the accurate IP, change the IP in ASA access rule --> apply, working.

thx for response.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here